Five Cyber Insurance Policy Gaps that Can Spell Disaster for Companies

By Darren McCue, President of Dunbar Security Solutions and Wayne Coffey, Coffey & Company, Inc.

 According to a new report from Bay Dynamics, more than one in four board members (26 percent) consider cybersecurity to be the highest priority for their corporation – and for good reason. Between 2013 and 2015, the number of records exposed by data breaches grew from 49 million to over 121 million, costing companies an average of $201 per record lost.

The growing frequency and cost of cyber attacks has led many companies to purchase cyber liability insurance. Premiums for these policies are expected to surpass $20 billion by 2025, up from $2 billion in 2015. Despite the growth in cyber insurance coverage, policies often fail to keep up with the latest cyber threats. As a result, many companies that have been victims of cyber crimes – even those with cyber liability insurance – have lost profits, struggled to fully recover from attacks, and been held liable for cyber damages.

Here are five components that a company’s leadership team needs to ensure are included as part of its cyber liability insurance policy:

Ransomware protection

When ransomware attacks occur, an organization’s files or entire system are locked until a specified amount of money/ransom is paid to the perpetrators. 2016 has seen a string of ransomware attacks targeting a number of industries, especially healthcare. Ransomware typically comes from either compromised websites or email attachments. Employees are tricked into opening attachments which then installs ransomware.

 Legal tender vs. monies

As ransomware attacks continue to increase, it is essential for insurance policies to clearly define and cover both “legal tender” and “monies.” Legal tender refers to government issued circulating currency, while monies refer to a medium of exchange that will hold value for a long period of time. In the cyber realm, this is most often the Bitcoin, which is the type of payment usually demanded by those committing a ransomware attack. Companies without coverage for monies may not be eligible for reimbursement of a paid ransom in the event of a ransomware attack.

E-business interruption

In the digital age, the operation of a company’s website is often directly linked to its ability to do business and make money. However, in the event of a cyber attack, websites are often disrupted—a server can fail or ransomware may lock a webpage. Companies, especially those that depend solely on e-commerce for their sales, must be sure that their cyber policy covers e-business interruption.

Third party corruption

One common way that malware is introduced into a company’s system is through a third party. If a business unknowingly sends a corrupted email to another business, thereby compromising their system, the question becomes: who is responsible? The affected business may hold the sender/third party responsible, even if the harm was unintentional. In this instance, if the “culprit” is sued by the affected business, it may be assumed that an insurance policy will cover the costs. However, if coverage for third party corruption is not explicitly stated in the policy, it is likely not covered. As a result, the business that unknowingly passed along the virus will have to deal with the costs of repairing the damage from the incident.

 Exclusions

Even if the four previous components are included in a cyber liability policy, they can count for little if companies do not carefully review the exclusions within a policy. For example, a company’s policy may exclude:

As cybersecurity threats continue to evolve, it is vital for companies and their leadership teams to be constantly analyzing and updating their cyber liability policies. Failure to do so can have potentially disastrous consequences.